One key to security: Think like a hacker, expert says

Related Links

The director of the Army's Information Operations Assurance Office wants security officials to work smarter, just as IT criminals are doing.

'We're finding out that imagination is the key because the bad guys use imagination to get through our security,' Col. Thaddeus Dmuchowski said at the recent National High-Performance Computing and Communications Council conference in Newport, R.I.

High-performance computers are more vulnerable, he said, because encryption algorithms considered unbreakable not long ago can now be cracked quickly.

Between 2000 and 2001, he said, the Army Computer Emergency Response Team counted a steady rise in reported incidents, from 5,616 to 14,641. The number of IT systems intrusions jumped from 64 to 98. During the first five-and-a-half months of this fiscal year, the team logged 6,514 incidents and 30 intrusions.

One hacker made multiple entries over a year's time before getting arrested, and 98 percent of all intrusions were via known vulnerabilities that should have been fixed, Dmuchowski said.

Attaching a cost value to a successful hack or virus attack helps persuade senior managers to fund security initiatives. It 'gives us the hammer to get something done,' Dmuchowski said.Shortly after the Sept. 11 terrorist attacks, one military base's Web site was found to be telling potential visitors they could just wave at the guard to enter. The site also gave directions to the base's chemical weapons storage.

'And then they wonder why we're being draconian about pulling information off the Internet,' Dmuchowski said. It takes a combination of technology and regulations to keep unauthorized people out, he said.

Also speaking at the conference, Army Lt. Col. Robert Bollig said he expects the military services to fully integrate biometric authentication by 2012.

Bollig, executive officer of the Defense Department's Biometrics Management Office, said he cannot force biometric measures on anyone but only recommend them as customer service.In early 2001, Bollig's office opened a West Virginia test center to evaluate off-the-shelf biometric tools. The center also sponsored a 15-hour graduate certificate in information assurance and biometrics at West Virginia University in Morgantown.

The most urgent development needs are for more rugged biometric devices and ways to update personal attributes as people age, Bollig said.

Also at the conference, a computer scientist from the National Infrastructure Protection Center urged agencies to watch out for insider cyberattacks.

Tools for a new trade

Robert M. Wright, on detail to NIPC's Special Technology Application Unit from the Army, said today's insiders are bringing in their own tools such as key-chain hard drives, anonymous-remailer software, peer-to-peer applications, infrared and radio wireless devices, and steganography'messages hidden within digital images.

Wright emphasized the need to investigate subcontractors and service providers who have never undergone the same background checks as prime contractors.

Finally, agencies should provide continual training in and enforcement of basic security policies and procedures. Wright likened it to the hundreds of hours that football players spend drilling.

'The idea is repetition, and the pro players know it,' Wright said. 'That's how you get good at it. If people would employ the technology we have today, most of the intrusions wouldn't take place.'

Criminals generally give up on a well-protected system and find one that's easier to hack, he said.